Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Valid
Reported on
Nov 23rd 2021
Description
CSRF to disable 2FA
Proof of Concept
<a href="http://10.0.2.15/profile/delete-code">CLICK ME!</a>
Impact
This vulnerability is capable of tricking users to disable 2FA.
We are processing your report and will contact the
firefly-iii
team within 24 hours.
a year ago
My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.
haxatron modified the report
a year ago
haxatron modified the report
a year ago
With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.
James Cole
commented
a year ago
Nice find, that's an important one to fix. No worries about the other endpoints, keep it up!
Are we able to mark a fix against this report, and we can go ahead and publish the CVE!
to join this conversation